Lucene search

K
nmapJer HiebertNMAP:IMPRESS-REMOTE-DISCOVER.NSE
HistoryMar 04, 2017 - 7:54 p.m.

impress-remote-discover NSE Script

2017-03-0419:54:56
Jer Hiebert
nmap.org
201

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Tests for the presence of the LibreOffice Impress Remote server. Checks if a PIN is valid if provided and will bruteforce the PIN if requested.

When a remote first contacts Impress and sends a client name and PIN, the user must open the “Slide Show -> Impress Remote” menu and enter the matching PIN at the prompt, which shows the client name. Subsequent connections with the same client name may then use the same PIN without user interaction. If no PIN has been set for the session, each PIN attempt will result in a new prompt in the “Impress Remote” menu. Brute-forcing the PIN, therefore, requires that the user has entered a PIN for the same client name, and will result in lots of extra prompts in the “Impress Remote” menu.

Script Arguments

impress-remote-discover.client

String value of the client name (default is Firefox OS).

impress-remote-discover.bruteforce

No value needed (default is false).

impress-remote-discover.pin

PIN number for the remote (default is 0000).

Example Usage

nmap -p 1599 --script impress-remote-discover <host>

Script Output

PORT     STATE SERVICE        Version
1599/tcp open  impress-remote LibreOffice Impress remote 4.3.3.2
| impress-remote-discover:
|   Impress Version: 4.3.3.2
|   Remote PIN: 0000
|_  Client Name used: Firefox OS

Requires


local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

description = [[
Tests for the presence of the LibreOffice Impress Remote server.
Checks if a PIN is valid if provided and will bruteforce the PIN
if requested.

When a remote first contacts Impress and sends a client name and PIN, the user
must open the "Slide Show -> Impress Remote" menu and enter the matching PIN at
the prompt, which shows the client name. Subsequent connections with the same
client name may then use the same PIN without user interaction.  If no PIN has
been set for the session, each PIN attempt will result in a new prompt in the
"Impress Remote" menu. Brute-forcing the PIN, therefore, requires that the user
has entered a PIN for the same client name, and will result in lots of extra
prompts in the "Impress Remote" menu.
]]

---
-- @usage nmap -p 1599 --script impress-remote-discover <host>
--
-- @output
-- PORT     STATE SERVICE        Version
-- 1599/tcp open  impress-remote LibreOffice Impress remote 4.3.3.2
-- | impress-remote-discover:
-- |   Impress Version: 4.3.3.2
-- |   Remote PIN: 0000
-- |_  Client Name used: Firefox OS
--
-- @args impress-remote-discover.bruteforce No value needed (default is
--       <code>false</code>).
--
-- @args impress-remote-discover.client String value of the client name
--       (default is <code>Firefox OS</code>).
--
-- @args impress-remote-discover.pin PIN number for the remote (default is
--       <code>0000</code>).

author = "Jer Hiebert"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}

portrule = shortport.port_or_service(1599, "impress-remote", "tcp")

local function parse_args()
  local args = {}

  local client_name = stdnse.get_script_args(SCRIPT_NAME .. ".client")
  if client_name then
    stdnse.debug("Client name provided: %s", client_name)
    -- Sanity check the value from the user.
    if type(client_name) ~= "string" then
      return false, "Client argument must be a string."
    end
  end
  args.client_name = client_name or "Firefox OS"

  local bruteforce = stdnse.get_script_args(SCRIPT_NAME .. ".bruteforce")
  if bruteforce and bruteforce ~= "false" then
    -- accept any value but false.
    bruteforce = true
  else
    bruteforce = false
  end
  args.bruteforce = bruteforce or false

  local pin = stdnse.get_script_args(SCRIPT_NAME .. ".pin")
  if pin then
    -- Sanity check the value from the user.
    pin = tonumber(pin)
    if type(pin) ~= "number" then
      return false, "PIN argument must be a number."
    elseif pin < 0 or pin > 9999 then
      return false, "PIN argument must be in range between 0000 and 9999 inclusive."
    elseif bruteforce then
      return false, "When bruteforcing is enabled, a PIN cannot be set."
    end
  end
  args.pin = pin or 0

  return true, args
end

local remote_connect = function(host, port, client_name, pin)
  local socket = nmap.new_socket()
  local status, err = socket:connect(host, port)
  if not status then
    stdnse.debug("Can't connect: %s", err)
    return
  end
  socket:set_timeout(5000)

  local buffer, err = stdnse.make_buffer(socket, "\n")
  if err then
    socket:close()
    stdnse.debug1("Failed to create buffer from socket: %s", err)
    return
  end
  socket:send("LO_SERVER_CLIENT_PAIR\n" .. client_name .. "\n" .. pin .. "\n\n")

  return buffer, socket
end

-- Returns the Client Name, PIN, and Remote Server version if the PIN and Client Name are correct
local remote_version = function(buffer, socket, client_name, pin)
  local line, err
  -- The line we are looking for is 4 down in the response
  -- so we loop through lines until we get to that one
  for j=0,3 do
    line, err = buffer()
    if not line then
      socket:close()
      stdnse.debug1("Failed to receive line from socket: %s", err)
      return
    end

    if string.match(line, "^LO_SERVER_INFO$") then
      line, err = buffer()
      socket:close()
      local output = stdnse.output_table()
      output["Impress Version"] = line
      output["Remote PIN"] = pin
      output["Client Name used"] = client_name
      return output
    end
  end

  socket:close()
  stdnse.debug1("Failed to parse version from socket.")
  return
end

local check_pin = function(host, port, client_name, pin)
  local buffer, socket = remote_connect(host, port, client_name, pin)
  if not buffer then
    return
  end

  local line, err = buffer()
  if not line then
    socket:close()
    stdnse.debug1("Failed to receive line from socket: %s", err)
    return
  end

  if string.match(line, "^LO_SERVER_SERVER_PAIRED$") then
    return remote_version(buffer, socket, client_name, pin)
  end

  socket:close()
  stdnse.debug1("Remote Server present but PIN and/or Client Name was not accepted.")
  return
end

local bruteforce = function(host, port, client_name)
  -- There are 10000 possible PINs which we loop through
  for i=0,9999 do
    -- Pad the pin with leading zeros if required
    local pin = string.format("%04d", i)
    if i % 100 == 0 then
      stdnse.debug1("Bruteforce attempt %d with PIN %s...", i + 1, pin)
    end

    local buffer, socket = remote_connect(host, port, client_name, pin)
    if not buffer then
      return
    end

    local line, err = buffer()
    if not line then
      socket:close()
      stdnse.debug1("Failed to receive line from socket: %s", err)
      return
    end

    if string.match(line, "^LO_SERVER_SERVER_PAIRED$") then
      return remote_version(buffer, socket, client_name, pin)
    end

    socket:close()
  end

  stdnse.debug1("Failed to bruteforce PIN.")
  return
end

action = function(host, port)
  -- Parse and sanity check the command line arguments.
  local status, options = parse_args()
  if not status then
    stdnse.verbose1("ERROR: %s", options)
    return stdnse.format_output(false, options)
  end

  local result
  if options.bruteforce then
    result = bruteforce(host, port, options.client_name)
  else
    result = check_pin(host, port, options.client_name, options.pin)
  end

  if result and result["Impress Version"] then
    port.version.product = port.version.product or "LibreOffice Impress remote"
    port.version.version = result["Impress Version"]
    table.insert(port.version.cpe, ("cpe:/a:libreoffice:libreoffice:%s"):format(result["Impress Version"]))
    nmap.set_port_version(host, port, "hardmatched")
  end

  return result
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:IMPRESS-REMOTE-DISCOVER.NSE